Network Security Policies and Architecture

1
Network Security Policies and Architecture

• Cyber Security Lab
• Spring 2007

2
Security Policy

• The organizational security policy guides the
  requirements for a security design
• The security policy is an English document
• Hopefully rather precise
• Defines the goals of the security implementation
• References for security policy
• SANS policy examples http//www.sans.org/resources
  /policies/
• University of Illinois Security policy
  http//www.aits.uillinois.edu/webtrans/live/Site.x
  ml?documentSecurityStandards.xmlfocusnull

3
Security Policy

• Driven by
• Internal Risk Analysis
• External legislation or requirements
• Demonstrating a standard of care
• Sector standards
• GASSP, NIST 800-53, ISO-17799

4
Several Layers of Policy

• Organization wide Tier 1
• e.g., Conflict of Interest, Information Security,
  Workplace security, Records Management
• Topic specific Tier 2
• Under Information Security Tier 1 e.g., Access
  Control, Systems Development, Asset
  Classification
• Application specific Tier 3
• e.g., policies on maintaining compass data,
  submitting grades

5
Example Policies

• From SANS Primer
• http//www.sans.org/resources/policies/Policy_Prim
  er.pdf?portalc849ff4e83228b5611b8fa9b5ea06d7e
• From University of Illinois (all campuses)
• http//www.aits.uillinois.edu/webtrans/live/Site.x
  ml?documentSecurityStandards.xmlfocusnull
• From UIUC
• http//www.cio.uiuc.edu/policies.html
• From UIUC Crop Sciences
• http//www.cropsci.uiuc.edu/csmyth/documents/secur
  itypolicies.htm

6
Not policies but related

• Standards
• Required tools or actions for an environment to
  support the policies
• Required software on desktop computers
• Procedures
• Step by step guidelines for operating within the
  policy
• Steps to perform the weekly backup

7
What is a security architecture?

• A framework that guides the security
  implementation
• Guided by the security policy
• Breaks the problem into modular pieces
• Can implement and perfect a module
• Can repeat implementation of proven modules and
  organization grows, e.g. remote office module
• Abstracting from implementation specifics aids in
  understanding the guiding structure of the system

8
Security Architectures

• Can be found for many general system elements
• Java
• http//java.sun.com/j2se/1.4.2/docs/guide/security
  /spec/security-spec.doc.html
• Client server applications
• .net http//msdn2.microsoft.com/en-us/library/yedb
  a920(VS.80).aspx
• CORBA http//www.omg.org/technology/documents/form
  al/omg_security.htm

9
Cisco SAFE

• A series of network security architecture
  blueprints
• http//cisco.com/en/US/netsol/ns340/ns394/ns171/ns
  128/networking_solutions_package.html
• Identifies frameworks for particular scenarios
• Analyzes placement of security enforcement
  devices in the network design
• Even if you dont use these modules, the analysis
  can help you understand reasons for using
  mechanisms at various points
• Modules enable people to incorporate portions of
  the blueprint into their environment

10
Cisco Icon Overview

• Complete overview at http//www.cisco.com/warp/pub
  lic/503/2.html

11
Overall Enterprise Design
12
Enterprise Campus
13
Management Module
14
Building Distribution Module
15
Building Module
16
Server Module
17
Edge Distribution Module
18
Second portion of architecture
19
More of the second portion
20
Corporate Internet Module
21
Corporate Internet Another View
22
VPN/Remote Access Module
23
E-Commerce Module
24
E-Commerce Module, another view